Merge remote-tracking branch 'up/master' into master-riscv64
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
This commit is contained in:
commit
e164013a0f
|
@ -47,3 +47,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||
/openssl-1.1.1d-hobbled.tar.xz
|
||||
/openssl-1.1.1e-hobbled.tar.xz
|
||||
/openssl-1.1.1f-hobbled.tar.xz
|
||||
/openssl-1.1.1g-hobbled.tar.xz
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
|
||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu Mar 26 15:59:00 2020 +0100
|
||||
|
||||
s_server: Properly indicate ALPN protocol mismatch
|
||||
|
||||
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
|
||||
an alert is sent to the client on ALPN protocol mismatch.
|
||||
|
||||
Fixes: #2708
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/11415)
|
||||
|
||||
diff --git a/apps/s_server.c b/apps/s_server.c
|
||||
index bcc83e562c..591c6c19c5 100644
|
||||
--- a/apps/s_server.c
|
||||
+++ b/apps/s_server.c
|
||||
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
||||
if (SSL_select_next_proto
|
||||
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
||||
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
||||
- return SSL_TLSEXT_ERR_NOACK;
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
if (!s_quiet) {
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,57 @@
|
|||
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
|
||||
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "crypto/evp.h"
|
||||
|
||||
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
|
||||
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/evp.h"
|
||||
#include "kdf_local.h"
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
|
||||
@@ -20,7 +20,7 @@
|
||||
#include "crypto/fips.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
-#ifdef __linux
|
||||
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||
# include <sys/syscall.h>
|
||||
# include <sys/random.h>
|
||||
# ifdef DEVRANDOM_WAIT
|
||||
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
|
||||
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -50,10 +50,6 @@
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
-#ifndef OPENSSL_FIPS
|
||||
-# error FIPS is disabled.
|
||||
-#endif
|
||||
-
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
int FIPS_module_mode_set(int onoff);
|
||||
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||
|
||||
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||
|
||||
+#else
|
||||
+
|
||||
+# define fips_in_post() 0
|
||||
+
|
||||
#endif
|
|
@ -1,15 +1,17 @@
|
|||
diff -up openssl-1.1.1e/crypto/rand/build.info.crng-test openssl-1.1.1e/crypto/rand/build.info
|
||||
--- openssl-1.1.1e/crypto/rand/build.info.crng-test 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/build.info 2020-03-19 16:45:52.286627241 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
|
||||
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
- randfile.c rand_lib.c rand_err.c rand_egd.c \
|
||||
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1e/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test 2020-03-19 16:45:52.246627936 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-19 16:45:52.286627241 +0100
|
||||
|
||||
INCLUDE[drbg_ctr.o]=../modes
|
||||
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
|
||||
|
||||
|
||||
|
@ -33,9 +35,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1e/crypto/r
|
|||
#ifndef RAND_DRBG_GET_RANDOM_NONCE
|
||||
drbg->get_nonce = rand_drbg_get_nonce;
|
||||
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
|
||||
diff -up openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1e/crypto/rand/rand_crng_test.c
|
||||
--- openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test 2020-03-19 16:45:52.286627241 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/rand_crng_test.c 2020-03-19 16:45:52.286627241 +0100
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -0,0 +1,118 @@
|
||||
+/*
|
||||
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -155,9 +157,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1e/cr
|
|||
+{
|
||||
+ OPENSSL_secure_clear_free(out, outlen);
|
||||
+}
|
||||
diff -up openssl-1.1.1e/crypto/rand/rand_local.h.crng-test openssl-1.1.1e/crypto/rand/rand_local.h
|
||||
--- openssl-1.1.1e/crypto/rand/rand_local.h.crng-test 2020-03-19 16:45:51.930633424 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/rand_local.h 2020-03-19 16:46:03.601430727 +0100
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
|
||||
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -33,7 +33,15 @@
|
||||
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
|
||||
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
|
||||
|
@ -207,9 +209,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_local.h.crng-test openssl-1.1.1e/crypto
|
|||
+int rand_crngt_single_init(void);
|
||||
+
|
||||
#endif
|
||||
diff -up openssl-1.1.1e/include/crypto/rand.h.crng-test openssl-1.1.1e/include/crypto/rand.h
|
||||
--- openssl-1.1.1e/include/crypto/rand.h.crng-test 2020-03-19 16:45:52.250627866 +0100
|
||||
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-19 16:45:52.285627258 +0100
|
||||
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
|
||||
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
||||
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
|
@ -225,9 +227,9 @@ diff -up openssl-1.1.1e/include/crypto/rand.h.crng-test openssl-1.1.1e/include/c
|
|||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
diff -up openssl-1.1.1e/test/drbgtest.c.crng-test openssl-1.1.1e/test/drbgtest.c
|
||||
--- openssl-1.1.1e/test/drbgtest.c.crng-test 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/test/drbgtest.c 2020-03-19 16:46:03.604430675 +0100
|
||||
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
|
||||
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
|
||||
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
||||
return t->noncelen;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,200 @@
|
|||
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
||||
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
||||
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
@@ -237,6 +238,7 @@ static const struct {
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
+ int fips_allowed;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#else
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#endif
|
||||
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||
#if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
for (i = 0; i < curve_list_length; i++)
|
||||
if (curve_list[i].nid == nid) {
|
||||
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||
+ return NULL;
|
||||
+ }
|
||||
ret = ec_group_new_from_data(curve_list[i]);
|
||||
break;
|
||||
}
|
||||
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
- size_t i, min;
|
||||
+ size_t i, j, num;
|
||||
+ int fips_mode = FIPS_mode();
|
||||
|
||||
- if (r == NULL || nitems == 0)
|
||||
- return curve_list_length;
|
||||
+ num = curve_list_length;
|
||||
+ if (fips_mode)
|
||||
+ for (i = 0; i < curve_list_length; i++) {
|
||||
+ if (!curve_list[i].fips_allowed)
|
||||
+ --num;
|
||||
+ }
|
||||
|
||||
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
+ if (r == NULL || nitems == 0) {
|
||||
+ return num;
|
||||
+ }
|
||||
|
||||
- for (i = 0; i < min; i++) {
|
||||
- r[i].nid = curve_list[i].nid;
|
||||
- r[i].comment = curve_list[i].comment;
|
||||
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||
+ if (j >= nitems)
|
||||
+ break;
|
||||
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||
+ r[j].nid = curve_list[i].nid;
|
||||
+ r[j].comment = curve_list[i].comment;
|
||||
+ ++j;
|
||||
+ }
|
||||
}
|
||||
|
||||
- return curve_list_length;
|
||||
+ return num;
|
||||
}
|
||||
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
||||
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||
#endif
|
||||
};
|
||||
|
||||
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||
+#endif
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||
+#endif
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
+ TLSEXT_SIGALG_dsa_sha224,
|
||||
+ TLSEXT_SIGALG_dsa_sha256,
|
||||
+ TLSEXT_SIGALG_dsa_sha384,
|
||||
+ TLSEXT_SIGALG_dsa_sha512,
|
||||
+#endif
|
||||
+};
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const uint16_t suiteb_sigalgs[] = {
|
||||
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||
}
|
||||
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||
return NULL;
|
||||
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
||||
+ return NULL;
|
||||
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||
|
||||
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||
} else if (s->cert->conf_sigalgs) {
|
||||
*psigs = s->cert->conf_sigalgs;
|
||||
return s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ *psigs = tls12_fips_sigalgs;
|
||||
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
*psigs = tls12_sigalgs;
|
||||
return OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||
if (s->cert->conf_sigalgs) {
|
||||
sigs = s->cert->conf_sigalgs;
|
||||
siglen = s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ sigs = tls12_fips_sigalgs;
|
||||
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
sigs = tls12_sigalgs;
|
||||
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
||||
if (lu->sig == NID_id_GostR3410_2012_256
|
||||
|| lu->sig == NID_id_GostR3410_2012_512
|
||||
|| lu->sig == NID_id_GostR3410_2001) {
|
||||
+ if (FIPS_mode())
|
||||
+ return 0;
|
||||
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||
if (s->server && SSL_IS_TLS13(s))
|
||||
return 0;
|
||||
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||
const uint16_t *sent_sigs;
|
||||
size_t sent_sigslen;
|
||||
|
||||
+ if (fatalerrs && FIPS_mode()) {
|
||||
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
File diff suppressed because it is too large
Load Diff
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1e/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest 2020-03-19 17:07:51.096676537 +0100
|
||||
+++ openssl-1.1.1e/crypto/fips/fips_post.c 2020-03-19 17:07:51.209674565 +0100
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
|
||||
@@ -67,12 +67,18 @@
|
||||
|
||||
# include <openssl/fips.h>
|
||||
|
@ -20,18 +20,20 @@ diff -up openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1e/cry
|
|||
if (!FIPS_selftest_drbg())
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_sha1())
|
||||
diff -up openssl-1.1.1e/crypto/rand/build.info.drbg-selftest openssl-1.1.1e/crypto/rand/build.info
|
||||
--- openssl-1.1.1e/crypto/rand/build.info.drbg-selftest 2020-03-19 17:07:51.179675088 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/build.info 2020-03-19 17:08:14.005276610 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
|
||||
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
|
||||
diff -up openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1e/crypto/rand/drbg_selftest.c
|
||||
--- openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest 2020-03-19 17:08:14.011276505 +0100
|
||||
+++ openssl-1.1.1e/crypto/rand/drbg_selftest.c 2020-03-19 17:08:14.011276505 +0100
|
||||
|
||||
INCLUDE[drbg_ctr.o]=../modes
|
||||
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
|
||||
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
|
||||
@@ -0,0 +1,537 @@
|
||||
+/*
|
||||
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -570,9 +572,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1e
|
|||
+
|
||||
+ return 1;
|
||||
+}
|
||||
diff -up openssl-1.1.1e/include/crypto/rand.h.drbg-selftest openssl-1.1.1e/include/crypto/rand.h
|
||||
--- openssl-1.1.1e/include/crypto/rand.h.drbg-selftest 2020-03-19 17:07:51.182675036 +0100
|
||||
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-19 17:08:14.004276627 +0100
|
||||
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
|
||||
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
|
||||
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
|
||||
*/
|
||||
void rand_pool_keep_random_devices_open(int keep);
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
diff -up openssl-1.1.1e/apps/pkcs12.c.fips openssl-1.1.1e/apps/pkcs12.c
|
||||
--- openssl-1.1.1e/apps/pkcs12.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/apps/pkcs12.c 2020-03-17 17:30:52.020567497 +0100
|
||||
@@ -127,7 +127,7 @@ int pkcs12_main(int argc, char **argv)
|
||||
diff -up openssl-1.1.1g/apps/pkcs12.c.fips openssl-1.1.1g/apps/pkcs12.c
|
||||
--- openssl-1.1.1g/apps/pkcs12.c.fips 2020-04-23 13:26:06.975649817 +0200
|
||||
+++ openssl-1.1.1g/apps/pkcs12.c 2020-04-23 13:28:27.689995889 +0200
|
||||
@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv)
|
||||
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
|
||||
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
|
||||
# ifndef OPENSSL_NO_RC2
|
||||
#ifndef OPENSSL_NO_RC2
|
||||
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
|
||||
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
|
||||
# else
|
||||
#else
|
||||
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
||||
# endif
|
||||
#endif
|
||||
diff -up openssl-1.1.1e/apps/speed.c.fips openssl-1.1.1e/apps/speed.c
|
||||
--- openssl-1.1.1e/apps/speed.c.fips 2020-03-17 17:30:51.997567897 +0100
|
||||
+++ openssl-1.1.1e/apps/speed.c 2020-03-17 17:30:52.021567479 +0100
|
||||
|
@ -879,128 +879,6 @@ diff -up openssl-1.1.1e/crypto/ec/ec_pmeth.c.fips openssl-1.1.1e/crypto/ec/ec_pm
|
|||
pkey_ec_init,
|
||||
pkey_ec_copy,
|
||||
pkey_ec_cleanup,
|
||||
diff -up openssl-1.1.1e/crypto/evp/c_allc.c.fips openssl-1.1.1e/crypto/evp/c_allc.c
|
||||
--- openssl-1.1.1e/crypto/evp/c_allc.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/evp/c_allc.c 2020-03-17 17:30:52.027567375 +0100
|
||||
@@ -17,6 +17,9 @@
|
||||
void openssl_add_all_ciphers_int(void)
|
||||
{
|
||||
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_mode()) {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cfb());
|
||||
EVP_add_cipher(EVP_des_cfb1());
|
||||
@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
|
||||
EVP_add_cipher(EVP_chacha20_poly1305());
|
||||
# endif
|
||||
#endif
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ } else {
|
||||
+# ifndef OPENSSL_NO_DES
|
||||
+ EVP_add_cipher(EVP_des_ede3_cfb());
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede3_ofb());
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
|
||||
+
|
||||
+ EVP_add_cipher(EVP_des_ede3());
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
|
||||
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
|
||||
+ EVP_add_cipher(EVP_des_ede3_wrap());
|
||||
+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
|
||||
+# endif
|
||||
+
|
||||
+# ifndef OPENSSL_NO_AES
|
||||
+ EVP_add_cipher(EVP_aes_128_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_128_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_128_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_128_ofb());
|
||||
+ EVP_add_cipher(EVP_aes_128_ctr());
|
||||
+ EVP_add_cipher(EVP_aes_128_gcm());
|
||||
+ EVP_add_cipher(EVP_aes_128_xts());
|
||||
+ EVP_add_cipher(EVP_aes_128_ccm());
|
||||
+ EVP_add_cipher(EVP_aes_128_wrap());
|
||||
+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
|
||||
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
|
||||
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
|
||||
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
|
||||
+ EVP_add_cipher(EVP_aes_192_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_192_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_192_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_192_ofb());
|
||||
+ EVP_add_cipher(EVP_aes_192_ctr());
|
||||
+ EVP_add_cipher(EVP_aes_192_gcm());
|
||||
+ EVP_add_cipher(EVP_aes_192_ccm());
|
||||
+ EVP_add_cipher(EVP_aes_192_wrap());
|
||||
+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
|
||||
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
|
||||
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
|
||||
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
|
||||
+ EVP_add_cipher(EVP_aes_256_ecb());
|
||||
+ EVP_add_cipher(EVP_aes_256_cbc());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb1());
|
||||
+ EVP_add_cipher(EVP_aes_256_cfb8());
|
||||
+ EVP_add_cipher(EVP_aes_256_ofb());
|
||||
+ EVP_add_cipher(EVP_aes_256_ctr());
|
||||
+ EVP_add_cipher(EVP_aes_256_gcm());
|
||||
+ EVP_add_cipher(EVP_aes_256_xts());
|
||||
+ EVP_add_cipher(EVP_aes_256_ccm());
|
||||
+ EVP_add_cipher(EVP_aes_256_wrap());
|
||||
+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
|
||||
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
|
||||
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
|
||||
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
|
||||
+# endif
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
diff -up openssl-1.1.1e/crypto/evp/c_alld.c.fips openssl-1.1.1e/crypto/evp/c_alld.c
|
||||
--- openssl-1.1.1e/crypto/evp/c_alld.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/evp/c_alld.c 2020-03-17 17:30:52.027567375 +0100
|
||||
@@ -16,6 +16,9 @@
|
||||
|
||||
void openssl_add_all_digests_int(void)
|
||||
{
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (!FIPS_mode()) {
|
||||
+#endif
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
EVP_add_digest(EVP_md4());
|
||||
#endif
|
||||
@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
|
||||
EVP_add_digest(EVP_sha3_512());
|
||||
EVP_add_digest(EVP_shake128());
|
||||
EVP_add_digest(EVP_shake256());
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ } else {
|
||||
+ EVP_add_digest(EVP_md5_sha1());
|
||||
+ EVP_add_digest(EVP_sha1());
|
||||
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
|
||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
|
||||
+ EVP_add_digest(EVP_sha224());
|
||||
+ EVP_add_digest(EVP_sha256());
|
||||
+ EVP_add_digest(EVP_sha384());
|
||||
+ EVP_add_digest(EVP_sha512());
|
||||
+ EVP_add_digest(EVP_sha512_224());
|
||||
+ EVP_add_digest(EVP_sha512_256());
|
||||
+ EVP_add_digest(EVP_sha3_224());
|
||||
+ EVP_add_digest(EVP_sha3_256());
|
||||
+ EVP_add_digest(EVP_sha3_384());
|
||||
+ EVP_add_digest(EVP_sha3_512());
|
||||
+ EVP_add_digest(EVP_shake128());
|
||||
+ EVP_add_digest(EVP_shake256());
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
diff -up openssl-1.1.1e/crypto/evp/digest.c.fips openssl-1.1.1e/crypto/evp/digest.c
|
||||
--- openssl-1.1.1e/crypto/evp/digest.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/evp/digest.c 2020-03-17 17:38:57.528093469 +0100
|
||||
|
@ -2303,7 +2181,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.
|
|||
+ rv = 0;
|
||||
+
|
||||
+ /* Installed == true */
|
||||
+ return !rv;
|
||||
+ return !rv || FIPS_module_mode();
|
||||
+}
|
||||
+
|
||||
+int FIPS_module_mode_set(int onoff)
|
||||
|
@ -9865,7 +9743,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
|
|||
diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
||||
--- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100
|
||||
@@ -7,8 +7,68 @@
|
||||
@@ -7,8 +7,69 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
|
@ -9891,16 +9769,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
|||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ /* Ensure the selftests always run */
|
||||
+ /* XXX: TO SOLVE - premature initialization due to selftests */
|
||||
+ FIPS_mode_set(1);
|
||||
+
|
||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ if (buf[0] != '1' && !FIPS_module_installed())
|
||||
+ return;
|
||||
+
|
||||
+ /* Ensure the selftests always run */
|
||||
+ /* XXX: TO SOLVE - premature initialization due to selftests */
|
||||
+ FIPS_mode_set(1);
|
||||
+
|
||||
+ /* Failure reading the fips mode switch file means just not
|
||||
+ * switching into FIPS mode. We would break too many things
|
||||
+ * otherwise..
|
||||
|
@ -9925,9 +9807,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
|
|||
+ if (done)
|
||||
+ return;
|
||||
+ done = 1;
|
||||
+ if (!FIPS_module_installed()) {
|
||||
+ return;
|
||||
+ }
|
||||
+ init_fips_mode();
|
||||
+}
|
||||
+#endif
|
||||
|
|
|
@ -0,0 +1,170 @@
|
|||
diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
|
||||
--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
|
||||
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
|
||||
fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
||||
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
|
||||
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
|
||||
- fips_dh_selftest.c fips_ers.c
|
||||
+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
|
||||
|
||||
PROGRAMS_NO_INST=\
|
||||
fips_standalone_hmac
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
|
||||
@@ -0,0 +1,117 @@
|
||||
+/*
|
||||
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include "crypto/fips.h"
|
||||
+
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+int FIPS_selftest_pbkdf2(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[32];
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
|
||||
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
|
||||
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
|
||||
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
|
||||
+ };
|
||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 1;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
|
||||
+ * 5) appendix A. */
|
||||
+int FIPS_selftest_kbkdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ char *label = "prf", *prf_input = "test";
|
||||
+ static unsigned char input_key[] = {
|
||||
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
|
||||
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
|
||||
+ };
|
||||
+ static unsigned char output[] = {
|
||||
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
|
||||
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
|
||||
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
|
||||
+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
|
||||
+ };
|
||||
+ unsigned char result[sizeof(output)] = { 0 };
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
|
||||
+ && memcmp(result, output, sizeof(output)) == 0;
|
||||
+err:
|
||||
+
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int FIPS_selftest_kdf(void)
|
||||
+{
|
||||
+ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
|
||||
@@ -111,6 +111,8 @@ int FIPS_selftest(void)
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_ecdh())
|
||||
rv = 0;
|
||||
+ if (!FIPS_selftest_kdf())
|
||||
+ rv = 0;
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
|
||||
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
|
||||
@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
|
||||
int FIPS_selftest_hmac(void);
|
||||
int FIPS_selftest_drbg(void);
|
||||
int FIPS_selftest_cmac(void);
|
||||
+int FIPS_selftest_kbkdf(void);
|
||||
+int FIPS_selftest_pbkdf2(void);
|
||||
+int FIPS_selftest_kdf(void);
|
||||
|
||||
int fips_in_post(void);
|
||||
|
||||
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
|
||||
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
|
||||
@@ -123,6 +123,8 @@ extern "C" {
|
||||
# define FIPS_F_FIPS_SELFTEST_DSA 112
|
||||
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
|
||||
# define FIPS_F_FIPS_SELFTEST_HMAC 113
|
||||
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151
|
||||
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
|
||||
# define FIPS_F_FIPS_SELFTEST_SHA1 115
|
||||
# define FIPS_F_FIPS_SELFTEST_SHA2 105
|
||||
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
|
|
@ -0,0 +1,44 @@
|
|||
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
|
||||
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
|
||||
@@ -292,6 +292,9 @@ extern "C" {
|
||||
|
||||
# define TLS1_FLAGS_STATELESS 0x0800
|
||||
|
||||
+/* Set if extended master secret extension required on renegotiation */
|
||||
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
|
||||
+
|
||||
# define SSL3_MT_HELLO_REQUEST 0
|
||||
# define SSL3_MT_CLIENT_HELLO 1
|
||||
# define SSL3_MT_SERVER_HELLO 2
|
||||
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
|
||||
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
|
||||
|
||||
static int init_ems(SSL *s, unsigned int context)
|
||||
{
|
||||
- if (!s->server)
|
||||
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
||||
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
||||
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
|
||||
+ }
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int final_ems(SSL *s, unsigned int context, int sent)
|
||||
{
|
||||
+ /*
|
||||
+ * Check extended master secret extension is not dropped on
|
||||
+ * renegotiation.
|
||||
+ */
|
||||
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
|
||||
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
|
||||
+ SSL_R_INCONSISTENT_EXTMS);
|
||||
+ return 0;
|
||||
+ }
|
||||
if (!s->server && s->hit) {
|
||||
/*
|
||||
* Check extended master secret extension is consistent with
|
|
@ -0,0 +1,170 @@
|
|||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
|
||||
int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
+ int len = (int)adinlen;
|
||||
+
|
||||
+ if (len < 0 || (size_t)len != adinlen) {
|
||||
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ RAND_seed(adin, len);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
|
||||
+ const unsigned char *adin, size_t adinlen)
|
||||
+{
|
||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
||||
}
|
||||
|
||||
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
+ int len = (int)outlen;
|
||||
+
|
||||
+ if (len < 0 || (size_t)len != outlen) {
|
||||
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return RAND_bytes(out, len);
|
||||
+}
|
||||
+
|
||||
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
||||
+ int prediction_resistance,
|
||||
+ const unsigned char *adin, size_t adinlen)
|
||||
+{
|
||||
int r = 0;
|
||||
|
||||
if (FIPS_selftest_failed()) {
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -57,6 +57,8 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips.h>
|
||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
||||
#include <openssl/fips_rand.h>
|
||||
#include "fips_rand_lcl.h"
|
||||
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -55,6 +55,8 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/fips.h>
|
||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
||||
#include <openssl/fips_rand.h>
|
||||
#include "fips_rand_lcl.h"
|
||||
#include "fips_locl.h"
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
|
||||
ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
||||
rv = 0;
|
||||
}
|
||||
- if (!FIPS_selftest_drbg())
|
||||
- rv = 0;
|
||||
if (!FIPS_selftest_sha1())
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_sha2())
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
|
||||
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
|
||||
|
||||
int FIPS_rand_seed(const void *buf, int num)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
|
||||
if (fips_rand_meth && fips_rand_meth->seed)
|
||||
fips_rand_meth->seed(buf, num);
|
||||
return 1;
|
||||
+#else
|
||||
+ RAND_seed(buf, num);
|
||||
+ return 1;
|
||||
+#endif
|
||||
}
|
||||
|
||||
int FIPS_rand_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
|
||||
if (fips_rand_meth && fips_rand_meth->bytes)
|
||||
return fips_rand_meth->bytes(buf, num);
|
||||
return 0;
|
||||
+#else
|
||||
+ return RAND_bytes(buf, num);
|
||||
+#endif
|
||||
}
|
||||
|
||||
int FIPS_rand_status(void)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
|
||||
if (fips_rand_meth && fips_rand_meth->status)
|
||||
return fips_rand_meth->status();
|
||||
return 0;
|
||||
+#else
|
||||
+ return RAND_status();
|
||||
+#endif
|
||||
}
|
||||
|
||||
/* Return instantiated strength of PRNG. For DRBG this is an internal
|
||||
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
|
||||
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -64,6 +64,11 @@ extern "C" {
|
||||
|
||||
int FIPS_selftest(void);
|
||||
int FIPS_selftest_failed(void);
|
||||
+
|
||||
+ /*
|
||||
+ * This function is deprecated as it performs selftest of the old FIPS drbg
|
||||
+ * implementation that is not validated.
|
||||
+ */
|
||||
int FIPS_selftest_drbg_all(void);
|
||||
|
||||
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
||||
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
|
||||
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -60,6 +60,20 @@
|
||||
# ifdef __cplusplus
|
||||
extern "C" {
|
||||
# endif
|
||||
+
|
||||
+/*
|
||||
+ * IMPORTANT NOTE:
|
||||
+ * All functions in this header file are deprecated and should not be used
|
||||
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
|
||||
+ * anymore.
|
||||
+ * To provide backwards compatibility for applications that need FIPS compliant
|
||||
+ * RNG number generation and use FIPS_drbg_generate, this function was
|
||||
+ * re-wired to call the FIPS validated DRBG instance instead through
|
||||
+ * the RAND_bytes() call.
|
||||
+ *
|
||||
+ * All these functions will be removed in future.
|
||||
+ */
|
||||
+
|
||||
typedef struct drbg_ctx_st DRBG_CTX;
|
||||
/* DRBG external flags */
|
||||
/* Flag for CTR mode only: use derivation function ctr_df */
|
File diff suppressed because it is too large
Load Diff
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200
|
||||
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
|
||||
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||
}
|
||||
|
||||
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
||||
|
@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
|
|||
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
||||
|
||||
/*
|
||||
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
|
||||
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
|
||||
|
||||
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
||||
return 0;
|
||||
-
|
||||
- return secbits >= minbits_table[level - 1];
|
||||
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
|
||||
+ if (FIPS_mode())
|
||||
+ /*
|
||||
+ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
|
||||
+ * disable SHA1 flag is not set.
|
||||
+ */
|
||||
+ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
|
||||
+ return secbits >= minbits_table[level - 1];
|
||||
+ return secbits >= minbits_digest_table[level - 1];
|
||||
}
|
||||
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
||||
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200
|
||||
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
|
||||
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
|
||||
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
||||
|
||||
=item B<Level 2>
|
||||
|
@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
|
|||
In addition to the level 1 exclusions any cipher suite using RC4 is also
|
||||
prohibited. SSL version 3 is also not allowed. Compression is disabled.
|
||||
|
||||
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
||||
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
||||
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
|
||||
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
||||
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
|
||||
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
||||
int op, int bits, int nid, void *other,
|
||||
void *ex);
|
||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
|
||||
|
||||
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
|
||||
static volatile int ssl_x509_store_ctx_idx = -1;
|
||||
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
|
||||
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
|
||||
|
||||
/* Set suite B flags if needed */
|
||||
- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
|
||||
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
|
||||
if (!X509_STORE_CTX_set_ex_data
|
||||
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
|
||||
goto end;
|
||||
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
|
||||
return 0;
|
||||
break;
|
||||
default:
|
||||
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
|
||||
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
|
||||
+ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
|
||||
+ break;
|
||||
if (bits < minbits)
|
||||
return 0;
|
||||
}
|
||||
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
|
||||
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
|
||||
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200
|
||||
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
|
||||
+{
|
||||
+ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
|
||||
+ const CERT *c;
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return ret;
|
||||
+
|
||||
+ if (ctx != NULL) {
|
||||
+ c = ctx->cert;
|
||||
+ } else {
|
||||
+ c = s->cert;
|
||||
+ }
|
||||
+ if (tls1_cert_sigalgs_have_sha1(c))
|
||||
+ return 0;
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
|
||||
{
|
||||
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
|
||||
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
|
||||
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
|
||||
+++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
|
||||
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
|
||||
__owur int tls1_process_sigalgs(SSL *s);
|
||||
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
|
||||
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
|
||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
|
||||
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
|
||||
# ifndef OPENSSL_NO_EC
|
||||
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
|
||||
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < sigalgslen; i++, sigalgs++) {
|
||||
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
|
||||
+
|
||||
+ if (lu == NULL)
|
||||
+ continue;
|
||||
+ if (lu->hash == NID_sha1)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
|
||||
+{
|
||||
+ if (c->client_sigalgs != NULL) {
|
||||
+ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
|
||||
+ return 1;
|
||||
+ }
|
||||
+ if (c->conf_sigalgs != NULL) {
|
||||
+ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
|
||||
{
|
||||
int sig_nid, use_pc_sigalgs = 0;
|
||||
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
|
||||
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
|
||||
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
||||
"CA with PSS signature using SHA256");
|
||||
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
From 93e26cedac20844733d59f33e313880da17fa23a Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Thu, 5 Sep 2019 16:43:57 +0100
|
||||
Subject: [PATCH 1/2] Don't send a status_request extension in a
|
||||
CertificateRequest message
|
||||
|
||||
If a TLSv1.3 server configured to respond to the status_request extension
|
||||
also attempted to send a CertificateRequest then it was incorrectly
|
||||
inserting a non zero length status_request extension into that message.
|
||||
|
||||
The TLSv1.3 RFC does allow that extension in that message but it must
|
||||
always be zero length.
|
||||
|
||||
In fact we should not be sending the extension at all in that message
|
||||
because we don't support it.
|
||||
|
||||
Fixes #9767
|
||||
---
|
||||
ssl/statem/extensions_srvr.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||
index e16722cbeb8..1c023fc6c40 100644
|
||||
--- a/ssl/statem/extensions_srvr.c
|
||||
+++ b/ssl/statem/extensions_srvr.c
|
||||
@@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
|
||||
unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
+ /* We don't currently support this extension inside a CertificateRequest */
|
||||
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
|
||||
+ return EXT_RETURN_NOT_SENT;
|
||||
+
|
||||
if (!s->ext.status_expected)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
|
@ -1,671 +0,0 @@
|
|||
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
|
||||
index 336afc989d..831b74ce6c 100644
|
||||
--- a/crypto/ec/ec_asn1.c
|
||||
+++ b/crypto/ec/ec_asn1.c
|
||||
@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r)
|
||||
i = i2d_ASN1_INTEGER(&bs, NULL);
|
||||
i += i; /* r and s */
|
||||
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
|
||||
+ if (ret < 0)
|
||||
+ return 0;
|
||||
return ret;
|
||||
}
|
||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||
index 3554ada827..22b00e203d 100644
|
||||
--- a/crypto/ec/ec_lib.c
|
||||
+++ b/crypto/ec/ec_lib.c
|
||||
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
||||
size_t i = 0;
|
||||
BN_CTX *new_ctx = NULL;
|
||||
|
||||
- if ((scalar == NULL) && (num == 0)) {
|
||||
- return EC_POINT_set_to_infinity(group, r);
|
||||
- }
|
||||
-
|
||||
if (!ec_point_is_compat(r, group)) {
|
||||
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ if (scalar == NULL && num == 0)
|
||||
+ return EC_POINT_set_to_infinity(group, r);
|
||||
+
|
||||
for (i = 0; i < num; i++) {
|
||||
if (!ec_point_is_compat(points[i], group)) {
|
||||
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
|
||||
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
|
||||
index 7980a67282..d2e4773270 100644
|
||||
--- a/crypto/ec/ec_mult.c
|
||||
+++ b/crypto/ec/ec_mult.c
|
||||
@@ -260,17 +260,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
||||
goto err;
|
||||
}
|
||||
|
||||
- /*-
|
||||
- * Apply coordinate blinding for EC_POINT.
|
||||
- *
|
||||
- * The underlying EC_METHOD can optionally implement this function:
|
||||
- * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
|
||||
- * success or if coordinate blinding is not implemented for this
|
||||
- * group.
|
||||
- */
|
||||
- if (!ec_point_blind_coordinates(group, p, ctx)) {
|
||||
- ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE);
|
||||
- goto err;
|
||||
+ /* ensure input point is in affine coords for ladder step efficiency */
|
||||
+ if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) {
|
||||
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/* Initialize the Montgomery ladder */
|
||||
@@ -747,6 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
||||
if (r_is_at_infinity) {
|
||||
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
|
||||
goto err;
|
||||
+
|
||||
+ /*-
|
||||
+ * Apply coordinate blinding for EC_POINT.
|
||||
+ *
|
||||
+ * The underlying EC_METHOD can optionally implement this function:
|
||||
+ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
|
||||
+ * success or if coordinate blinding is not implemented for this
|
||||
+ * group.
|
||||
+ */
|
||||
+ if (!ec_point_blind_coordinates(group, r, ctx)) {
|
||||
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
r_is_at_infinity = 0;
|
||||
} else {
|
||||
if (!EC_POINT_add
|
||||
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
|
||||
index b354bfe9ce..6903db58ff 100644
|
||||
--- a/crypto/ec/ecp_smpl.c
|
||||
+++ b/crypto/ec/ecp_smpl.c
|
||||
@@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
|
||||
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
|
||||
* Since we don't have a Mont structure here, SCA hardening is with blinding.
|
||||
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
|
||||
*/
|
||||
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *ctx)
|
||||
@@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
|
||||
temp = BN_CTX_get(ctx);
|
||||
if (temp == NULL) {
|
||||
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
|
||||
- goto err;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
- /* make sure lambda is not zero */
|
||||
+ /*-
|
||||
+ * Make sure lambda is not zero.
|
||||
+ * If the RNG fails, we cannot blind but nevertheless want
|
||||
+ * code to continue smoothly and not clobber the error stack.
|
||||
+ */
|
||||
do {
|
||||
- if (!BN_priv_rand_range(lambda, group->field)) {
|
||||
- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
|
||||
- goto err;
|
||||
+ ERR_set_mark();
|
||||
+ ret = BN_priv_rand_range(lambda, group->field);
|
||||
+ ERR_pop_to_mark();
|
||||
+ if (ret == 0) {
|
||||
+ ret = 1;
|
||||
+ goto end;
|
||||
}
|
||||
} while (BN_is_zero(lambda));
|
||||
|
||||
/* if field_encode defined convert between representations */
|
||||
- if (group->meth->field_encode != NULL
|
||||
- && !group->meth->field_encode(group, lambda, lambda, ctx))
|
||||
- goto err;
|
||||
- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
|
||||
- goto err;
|
||||
- if (!group->meth->field_sqr(group, temp, lambda, ctx))
|
||||
- goto err;
|
||||
- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
|
||||
- goto err;
|
||||
- if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
|
||||
- goto err;
|
||||
- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
|
||||
- goto err;
|
||||
- p->Z_is_one = 0;
|
||||
+ if ((group->meth->field_encode != NULL
|
||||
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
|
||||
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
|
||||
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
|
||||
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
|
||||
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
|
||||
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
|
||||
+ goto end;
|
||||
|
||||
+ p->Z_is_one = 0;
|
||||
ret = 1;
|
||||
|
||||
- err:
|
||||
+ end:
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-
|
||||
- * Set s := p, r := 2p.
|
||||
+ * Input:
|
||||
+ * - p: affine coordinates
|
||||
+ *
|
||||
+ * Output:
|
||||
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
|
||||
*
|
||||
* For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
|
||||
- * multiplication resistant against side channel attacks" appendix, as described
|
||||
- * at
|
||||
+ * multiplication resistant against side channel attacks" appendix, described at
|
||||
* https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
|
||||
+ * simplified for Z1=1.
|
||||
*
|
||||
- * The input point p will be in randomized Jacobian projective coords:
|
||||
- * x = X/Z**2, y=Y/Z**3
|
||||
- *
|
||||
- * The output points p, s, and r are converted to standard (homogeneous)
|
||||
- * projective coords:
|
||||
- * x = X/Z, y=Y/Z
|
||||
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
|
||||
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
|
||||
*/
|
||||
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
|
||||
EC_POINT *r, EC_POINT *s,
|
||||
EC_POINT *p, BN_CTX *ctx)
|
||||
{
|
||||
- BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
|
||||
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
|
||||
|
||||
- t1 = r->Z;
|
||||
- t2 = r->Y;
|
||||
+ t1 = s->Z;
|
||||
+ t2 = r->Z;
|
||||
t3 = s->X;
|
||||
t4 = r->X;
|
||||
t5 = s->Y;
|
||||
- t6 = s->Z;
|
||||
-
|
||||
- /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */
|
||||
- if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx)
|
||||
- || !group->meth->field_sqr(group, t1, p->Z, ctx)
|
||||
- || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx)
|
||||
- /* r := 2p */
|
||||
- || !group->meth->field_sqr(group, t2, p->X, ctx)
|
||||
- || !group->meth->field_sqr(group, t3, p->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t4, t3, group->a, ctx)
|
||||
- || !BN_mod_sub_quick(t5, t2, t4, group->field)
|
||||
- || !BN_mod_add_quick(t2, t2, t4, group->field)
|
||||
- || !group->meth->field_sqr(group, t5, t5, ctx)
|
||||
- || !group->meth->field_mul(group, t6, t3, group->b, ctx)
|
||||
- || !group->meth->field_mul(group, t1, p->X, p->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t4, t1, t6, ctx)
|
||||
- || !BN_mod_lshift_quick(t4, t4, 3, group->field)
|
||||
+
|
||||
+ if (!p->Z_is_one /* r := 2p */
|
||||
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
|
||||
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
|
||||
+ || !group->meth->field_sqr(group, t4, t4, ctx)
|
||||
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
|
||||
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
|
||||
/* r->X coord output */
|
||||
- || !BN_mod_sub_quick(r->X, t5, t4, group->field)
|
||||
- || !group->meth->field_mul(group, t1, t1, t2, ctx)
|
||||
- || !group->meth->field_mul(group, t2, t3, t6, ctx)
|
||||
- || !BN_mod_add_quick(t1, t1, t2, group->field)
|
||||
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
|
||||
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
|
||||
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
|
||||
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
|
||||
/* r->Z coord output */
|
||||
- || !BN_mod_lshift_quick(r->Z, t1, 2, group->field)
|
||||
- || !EC_POINT_copy(s, p))
|
||||
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* make sure lambda (r->Y here for storage) is not zero */
|
||||
+ do {
|
||||
+ if (!BN_priv_rand_range(r->Y, group->field))
|
||||
+ return 0;
|
||||
+ } while (BN_is_zero(r->Y));
|
||||
+
|
||||
+ /* make sure lambda (s->Z here for storage) is not zero */
|
||||
+ do {
|
||||
+ if (!BN_priv_rand_range(s->Z, group->field))
|
||||
+ return 0;
|
||||
+ } while (BN_is_zero(s->Z));
|
||||
+
|
||||
+ /* if field_encode defined convert between representations */
|
||||
+ if (group->meth->field_encode != NULL
|
||||
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
|
||||
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* blind r and s independently */
|
||||
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
|
||||
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
|
||||
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
|
||||
return 0;
|
||||
|
||||
r->Z_is_one = 0;
|
||||
s->Z_is_one = 0;
|
||||
- p->Z_is_one = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*-
|
||||
- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
|
||||
+ * Input:
|
||||
+ * - s, r: projective (homogeneous) coordinates
|
||||
+ * - p: affine coordinates
|
||||
+ *
|
||||
+ * Output:
|
||||
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
|
||||
+ *
|
||||
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
|
||||
* "A fast parallel elliptic curve multiplication resistant against side channel
|
||||
* attacks", as described at
|
||||
- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
|
||||
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
|
||||
*/
|
||||
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
|
||||
EC_POINT *r, EC_POINT *s,
|
||||
EC_POINT *p, BN_CTX *ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL;
|
||||
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
t0 = BN_CTX_get(ctx);
|
||||
@@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
|
||||
t4 = BN_CTX_get(ctx);
|
||||
t5 = BN_CTX_get(ctx);
|
||||
t6 = BN_CTX_get(ctx);
|
||||
- t7 = BN_CTX_get(ctx);
|
||||
|
||||
- if (t7 == NULL
|
||||
- || !group->meth->field_mul(group, t0, r->X, s->X, ctx)
|
||||
- || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t2, r->X, s->Z, ctx)
|
||||
+ if (t6 == NULL
|
||||
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
|
||||
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
|
||||
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
|
||||
|| !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
|
||||
- || !group->meth->field_mul(group, t4, group->a, t1, ctx)
|
||||
- || !BN_mod_add_quick(t0, t0, t4, group->field)
|
||||
- || !BN_mod_add_quick(t4, t3, t2, group->field)
|
||||
- || !group->meth->field_mul(group, t0, t4, t0, ctx)
|
||||
- || !group->meth->field_sqr(group, t1, t1, ctx)
|
||||
- || !BN_mod_lshift_quick(t7, group->b, 2, group->field)
|
||||
- || !group->meth->field_mul(group, t1, t7, t1, ctx)
|
||||
- || !BN_mod_lshift1_quick(t0, t0, group->field)
|
||||
- || !BN_mod_add_quick(t0, t1, t0, group->field)
|
||||
- || !BN_mod_sub_quick(t1, t2, t3, group->field)
|
||||
- || !group->meth->field_sqr(group, t1, t1, ctx)
|
||||
- || !group->meth->field_mul(group, t3, t1, p->X, ctx)
|
||||
- || !group->meth->field_mul(group, t0, p->Z, t0, ctx)
|
||||
- /* s->X coord output */
|
||||
- || !BN_mod_sub_quick(s->X, t0, t3, group->field)
|
||||
- /* s->Z coord output */
|
||||
- || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx)
|
||||
- || !group->meth->field_sqr(group, t3, r->X, ctx)
|
||||
- || !group->meth->field_sqr(group, t2, r->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t4, t2, group->a, ctx)
|
||||
- || !BN_mod_add_quick(t5, r->X, r->Z, group->field)
|
||||
- || !group->meth->field_sqr(group, t5, t5, ctx)
|
||||
- || !BN_mod_sub_quick(t5, t5, t3, group->field)
|
||||
- || !BN_mod_sub_quick(t5, t5, t2, group->field)
|
||||
- || !BN_mod_sub_quick(t6, t3, t4, group->field)
|
||||
- || !group->meth->field_sqr(group, t6, t6, ctx)
|
||||
- || !group->meth->field_mul(group, t0, t2, t5, ctx)
|
||||
- || !group->meth->field_mul(group, t0, t7, t0, ctx)
|
||||
- /* r->X coord output */
|
||||
- || !BN_mod_sub_quick(r->X, t6, t0, group->field)
|
||||
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
|
||||
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
|
||||
|| !BN_mod_add_quick(t6, t3, t4, group->field)
|
||||
- || !group->meth->field_sqr(group, t3, t2, ctx)
|
||||
- || !group->meth->field_mul(group, t7, t3, t7, ctx)
|
||||
- || !group->meth->field_mul(group, t5, t5, t6, ctx)
|
||||
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
|
||||
+ || !group->meth->field_sqr(group, t0, t0, ctx)
|
||||
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
|
||||
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
|
||||
|| !BN_mod_lshift1_quick(t5, t5, group->field)
|
||||
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
|
||||
+ /* s->Z coord output */
|
||||
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
|
||||
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
|
||||
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
|
||||
+ /* s->X coord output */
|
||||
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
|
||||
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
|
||||
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
|
||||
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
|
||||
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
|
||||
+ || !group->meth->field_sqr(group, t1, t1, ctx)
|
||||
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
|
||||
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
|
||||
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
|
||||
+ || !group->meth->field_sqr(group, t3, t3, ctx)
|
||||
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
|
||||
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
|
||||
+ /* r->X coord output */
|
||||
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
|
||||
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
|
||||
+ || !group->meth->field_sqr(group, t4, t5, ctx)
|
||||
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
|
||||
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
|
||||
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
|
||||
/* r->Z coord output */
|
||||
- || !BN_mod_add_quick(r->Z, t7, t5, group->field))
|
||||
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
@@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
|
||||
}
|
||||
|
||||
/*-
|
||||
+ * Input:
|
||||
+ * - s, r: projective (homogeneous) coordinates
|
||||
+ * - p: affine coordinates
|
||||
+ *
|
||||
+ * Output:
|
||||
+ * - r := (x,y): affine coordinates
|
||||
+ *
|
||||
* Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
|
||||
- * Elliptic Curves and Side-Channel Attacks", modified to work in projective
|
||||
- * coordinates and return r in Jacobian projective coordinates.
|
||||
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
|
||||
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
|
||||
+ * coords, and return r in affine coordinates.
|
||||
*
|
||||
- * X4 = two*Y1*X2*Z3*Z2*Z1;
|
||||
- * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1);
|
||||
- * Z4 = two*Y1*Z3*SQR(Z2)*Z1;
|
||||
+ * X4 = two*Y1*X2*Z3*Z2;
|
||||
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
|
||||
+ * Z4 = two*Y1*Z3*SQR(Z2);
|
||||
*
|
||||
* Z4 != 0 because:
|
||||
- * - Z1==0 implies p is at infinity, which would have caused an early exit in
|
||||
- * the caller;
|
||||
* - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
|
||||
* - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
|
||||
* - Y1==0 implies p has order 2, so either r or s are infinity and handled by
|
||||
@@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
|
||||
return EC_POINT_set_to_infinity(group, r);
|
||||
|
||||
if (BN_is_zero(s->Z)) {
|
||||
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
|
||||
- if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx)
|
||||
- || !group->meth->field_sqr(group, r->Z, p->Z, ctx)
|
||||
- || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx)
|
||||
- || !BN_copy(r->Z, p->Z)
|
||||
+ if (!EC_POINT_copy(r, p)
|
||||
|| !EC_POINT_invert(group, r, ctx))
|
||||
return 0;
|
||||
return 1;
|
||||
@@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
|
||||
t6 = BN_CTX_get(ctx);
|
||||
|
||||
if (t6 == NULL
|
||||
- || !BN_mod_lshift1_quick(t0, p->Y, group->field)
|
||||
- || !group->meth->field_mul(group, t1, r->X, p->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx)
|
||||
- || !group->meth->field_mul(group, t2, t1, t2, ctx)
|
||||
- || !group->meth->field_mul(group, t3, t2, t0, ctx)
|
||||
- || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx)
|
||||
- || !group->meth->field_sqr(group, t4, t2, ctx)
|
||||
- || !BN_mod_lshift1_quick(t5, group->b, group->field)
|
||||
- || !group->meth->field_mul(group, t4, t4, t5, ctx)
|
||||
- || !group->meth->field_mul(group, t6, t2, group->a, ctx)
|
||||
- || !group->meth->field_mul(group, t5, r->X, p->X, ctx)
|
||||
- || !BN_mod_add_quick(t5, t6, t5, group->field)
|
||||
- || !group->meth->field_mul(group, t6, r->Z, p->X, ctx)
|
||||
- || !BN_mod_add_quick(t2, t6, t1, group->field)
|
||||
- || !group->meth->field_mul(group, t5, t5, t2, ctx)
|
||||
- || !BN_mod_sub_quick(t6, t6, t1, group->field)
|
||||
- || !group->meth->field_sqr(group, t6, t6, ctx)
|
||||
- || !group->meth->field_mul(group, t6, t6, s->X, ctx)
|
||||
- || !BN_mod_add_quick(t4, t5, t4, group->field)
|
||||
- || !group->meth->field_mul(group, t4, t4, s->Z, ctx)
|
||||
- || !BN_mod_sub_quick(t4, t4, t6, group->field)
|
||||
- || !group->meth->field_sqr(group, t5, r->Z, ctx)
|
||||
- || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx)
|
||||
- || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx)
|
||||
- || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx)
|
||||
- /* t3 := X, t4 := Y */
|
||||
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
|
||||
- || !group->meth->field_mul(group, r->X, t3, r->Z, ctx)
|
||||
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
|
||||
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
|
||||
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
|
||||
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
|
||||
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
|
||||
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|
||||
|| !group->meth->field_sqr(group, t3, r->Z, ctx)
|
||||
- || !group->meth->field_mul(group, r->Y, t4, t3, ctx))
|
||||
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
|
||||
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
|
||||
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
|
||||
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
|
||||
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|
||||
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
|
||||
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
|
||||
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
|
||||
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
|
||||
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
|
||||
+ || !group->meth->field_sqr(group, t0, t0, ctx)
|
||||
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
|
||||
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
|
||||
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
|
||||
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
|
||||
+ || (group->meth->field_decode != NULL
|
||||
+ && !group->meth->field_decode(group, t1, t1, ctx))
|
||||
+ || !group->meth->field_inv(group, t1, t1, ctx)
|
||||
+ || (group->meth->field_encode != NULL
|
||||
+ && !group->meth->field_encode(group, t1, t1, ctx))
|
||||
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
|
||||
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
|
||||
goto err;
|
||||
|
||||
+ if (group->meth->field_set_to_one != NULL) {
|
||||
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
|
||||
+ goto err;
|
||||
+ } else {
|
||||
+ if (!BN_one(r->Z))
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ r->Z_is_one = 1;
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||
index f28f2d2610..41625e75ad 100644
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
||||
ret = 1;
|
||||
break;
|
||||
}
|
||||
+ if ((x->ex_flags & EXFLAG_CA) == 0
|
||||
+ && x->ex_pathlen != -1
|
||||
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
|
||||
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
||||
+ ret = 0;
|
||||
+ }
|
||||
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
|
||||
return 0;
|
||||
/* check_purpose() makes the callback as needed */
|
||||
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
|
||||
index 2bc8253d2d..2eaad1a763 100644
|
||||
--- a/crypto/x509v3/v3_purp.c
|
||||
+++ b/crypto/x509v3/v3_purp.c
|
||||
@@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x)
|
||||
if (bs->ca)
|
||||
x->ex_flags |= EXFLAG_CA;
|
||||
if (bs->pathlen) {
|
||||
- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
|
||||
- || !bs->ca) {
|
||||
+ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->ex_pathlen = 0;
|
||||
- } else
|
||||
+ } else {
|
||||
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
|
||||
+ if (!bs->ca && x->ex_pathlen != 0) {
|
||||
+ x->ex_flags |= EXFLAG_INVALID;
|
||||
+ x->ex_pathlen = 0;
|
||||
+ }
|
||||
+ }
|
||||
} else
|
||||
x->ex_pathlen = -1;
|
||||
BASIC_CONSTRAINTS_free(bs);
|
||||
diff --git a/doc/man3/EVP_aes.pod b/doc/man3/EVP_aes.pod
|
||||
index 4192a9ec36..7db48a427f 100644
|
||||
--- a/doc/man3/EVP_aes.pod
|
||||
+++ b/doc/man3/EVP_aes.pod
|
||||
@@ -160,6 +160,13 @@ In particular, XTS-AES-128 (B<EVP_aes_128_xts>) takes input of a 256-bit key to
|
||||
achieve AES 128-bit security, and XTS-AES-256 (B<EVP_aes_256_xts>) takes input
|
||||
of a 512-bit key to achieve AES 256-bit security.
|
||||
|
||||
+The XTS implementation in OpenSSL does not support streaming. That is there must
|
||||
+only be one L<EVP_EncryptUpdate(3)> call per L<EVP_EncryptInit_ex(3)> call (and
|
||||
+similarly with the "Decrypt" functions).
|
||||
+
|
||||
+The I<iv> parameter to L<EVP_EncryptInit_ex(3)> or L<EVP_DecryptInit_ex(3)> is
|
||||
+the XTS "tweak" value.
|
||||
+
|
||||
=back
|
||||
|
||||
=head1 RETURN VALUES
|
||||
diff --git a/test/certs/ee-pathlen.pem b/test/certs/ee-pathlen.pem
|
||||
new file mode 100644
|
||||
index 0000000000..0bcae1d7bd
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ee-pathlen.pem
|
||||
@@ -0,0 +1,17 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
||||
+Fw0yMDA0MDMwODA0MTVaGA8yMTIwMDQwNDA4MDQxNVowGTEXMBUGA1UEAwwOc2Vy
|
||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
||||
+iIQPYf55NB9KiR+3AgMBAAGjEDAOMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcNAQEL
|
||||
+BQADggEBAApOUnWWd09I0ts3xa1oK7eakc+fKTF4d7pbGznFNONaCR3KFRgnBVlG
|
||||
+Bm8/oehrrQ28Ad3XPSug34DQQ5kM6JIuaddx50/n4Xkgj8/fgXVA0HXizOJ3QpKC
|
||||
+IojLVajXlQHhpo72VUQuNOha0UxG9daYjS20iXRhanTm9rUz7qQZEugVQCiR0z/f
|
||||
+9NgM7FU9UaSidzH3gZu/Ufc4Ggn6nZV7LM9sf4IUV+KszS1VpcK+9phAmsB6BaAi
|
||||
+cFXvVXZjTNualQgPyPwOD8c+vVCIfIemfF5TZ6fyqpOjprWQAphwrTtfNDSmqRTz
|
||||
+FRhDf+vJERQclgUtg37EgWGKtnNQeRY=
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||
index 2d53ea5b08..bbe4842a51 100755
|
||||
--- a/test/certs/setup.sh
|
||||
+++ b/test/certs/setup.sh
|
||||
@@ -154,7 +154,7 @@ openssl x509 -in sca-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
|
||||
|
||||
# Primary leaf cert: ee-cert
|
||||
-# ee variants: expired, issuer-key2, issuer-name2
|
||||
+# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
# purpose variants: client
|
||||
#
|
||||
@@ -163,6 +163,8 @@ openssl x509 -in sca-cert.pem -trustout \
|
||||
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
|
||||
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
|
||||
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
|
||||
+./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
|
||||
+ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
|
||||
#
|
||||
openssl x509 -in ee-cert.pem -trustout \
|
||||
-addtrust serverAuth -out ee+serverAuth.pem
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index b80a1cde3e..0e0f5dca21 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -27,7 +27,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 135;
|
||||
+plan tests => 137;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -222,6 +222,10 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
|
||||
"accept direct match with client trust");
|
||||
ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
|
||||
"reject direct match with client mistrust");
|
||||
+ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
|
||||
+ "accept non-ca with pathlen:0 by default");
|
||||
+ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
|
||||
+ "reject non-ca with pathlen:0 with strict flag");
|
||||
|
||||
# Proxy certificates
|
||||
ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
|
||||
diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
|
||||
index 952f688e8b..f7e4e38d03 100644
|
||||
--- a/test/sm2_internal_test.c
|
||||
+++ b/test/sm2_internal_test.c
|
||||
@@ -32,17 +32,18 @@ static size_t fake_rand_size = 0;
|
||||
|
||||
static int get_faked_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
- int i;
|
||||
-
|
||||
if (fake_rand_bytes == NULL)
|
||||
return saved_rand->bytes(buf, num);
|
||||
|
||||
- if (!TEST_size_t_le(fake_rand_bytes_offset + num, fake_rand_size))
|
||||
+ if (!TEST_size_t_gt(fake_rand_size, 0))
|
||||
return 0;
|
||||
|
||||
- for (i = 0; i != num; ++i)
|
||||
- buf[i] = fake_rand_bytes[fake_rand_bytes_offset + i];
|
||||
- fake_rand_bytes_offset += num;
|
||||
+ while (num-- > 0) {
|
||||
+ if (fake_rand_bytes_offset >= fake_rand_size)
|
||||
+ fake_rand_bytes_offset = 0;
|
||||
+ *buf++ = fake_rand_bytes[fake_rand_bytes_offset++];
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -175,8 +176,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
|
||||
|
||||
start_fake_rand(k_hex);
|
||||
if (!TEST_true(sm2_encrypt(key, digest, (const uint8_t *)message, msg_len,
|
||||
- ctext, &ctext_len))
|
||||
- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) {
|
||||
+ ctext, &ctext_len))) {
|
||||
restore_rand();
|
||||
goto done;
|
||||
}
|
||||
@@ -296,8 +296,7 @@ static int test_sm2_sign(const EC_GROUP *group,
|
||||
start_fake_rand(k_hex);
|
||||
sig = sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, strlen(userid),
|
||||
(const uint8_t *)message, msg_len);
|
||||
- if (!TEST_ptr(sig)
|
||||
- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) {
|
||||
+ if (!TEST_ptr(sig)) {
|
||||
restore_rand();
|
||||
goto done;
|
||||
}
|
|
@ -1,12 +1,12 @@
|
|||
diff -up openssl-1.1.1f/include/openssl/opensslv.h.version-override openssl-1.1.1f/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1f/include/openssl/opensslv.h.version-override 2020-04-07 16:46:21.792998242 +0200
|
||||
+++ openssl-1.1.1f/include/openssl/opensslv.h 2020-04-07 16:47:18.919962564 +0200
|
||||
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
|
||||
@@ -40,7 +40,7 @@ extern "C" {
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010106fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f 31 Mar 2020"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f FIPS 31 Mar 2020"
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010107fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
|
81
openssl.spec
81
openssl.spec
|
@ -21,8 +21,8 @@
|
|||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1f
|
||||
Release: 1.0.riscv64%{?dist}
|
||||
Version: 1.1.1g
|
||||
Release: 14.0.riscv64%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
@ -62,15 +62,23 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
|
|||
Patch48: openssl-1.1.1-fips-post-rand.patch
|
||||
Patch49: openssl-1.1.1-evp-kdf.patch
|
||||
Patch50: openssl-1.1.1-ssh-kdf.patch
|
||||
Patch51: openssl-1.1.1-intel-cet.patch
|
||||
Patch60: openssl-1.1.1-krb5-kdf.patch
|
||||
Patch61: openssl-1.1.1-intel-cet.patch
|
||||
Patch61: openssl-1.1.1-edk2-build.patch
|
||||
Patch62: openssl-1.1.1-fips-curves.patch
|
||||
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
||||
Patch66: openssl-1.1.1-fips-dh.patch
|
||||
Patch67: openssl-1.1.1-kdf-selftest.patch
|
||||
Patch68: openssl-1.1.1-reneg-no-extms.patch
|
||||
Patch69: openssl-1.1.1-alpn-cb.patch
|
||||
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch52: openssl-1.1.1-s390x-update.patch
|
||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
||||
Patch54: openssl-1.1.1-upstream-sync.patch
|
||||
Patch55: openssl-1.1.1-arm-update.patch
|
||||
Patch56: openssl-1.1.1-s390x-ecc.patch
|
||||
|
||||
License: OpenSSL
|
||||
License: OpenSSL and ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
BuildRequires: gcc
|
||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||
|
@ -167,12 +175,20 @@ cp %{SOURCE13} test/
|
|||
%patch48 -p1 -b .fips-post-rand
|
||||
%patch49 -p1 -b .evp-kdf
|
||||
%patch50 -p1 -b .ssh-kdf
|
||||
%patch51 -p1 -b .intel-cet
|
||||
%patch52 -p1 -b .s390x-update
|
||||
%patch53 -p1 -b .crng-test
|
||||
%patch55 -p1 -b .arm-update
|
||||
%patch56 -p1 -b .s390x-ecc
|
||||
%patch60 -p1 -b .krb5-kdf
|
||||
%patch61 -p1 -b .intel-cet
|
||||
%patch61 -p1 -b .edk2-build
|
||||
%patch62 -p1 -b .fips-curves
|
||||
%patch65 -p1 -b .drbg-selftest
|
||||
%patch54 -p1 -b .upstream-sync
|
||||
%patch66 -p1 -b .fips-dh
|
||||
%patch67 -p1 -b .kdf-selftest
|
||||
%patch68 -p1 -b .reneg-no-extms
|
||||
%patch69 -p1 -b .alpn-cb
|
||||
%patch70 -p1 -b .rewire-fips-drbg
|
||||
|
||||
|
||||
%build
|
||||
|
@ -314,7 +330,7 @@ make test
|
|||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||
# Install OpenSSL.
|
||||
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
%make_install
|
||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||
chmod 755 ${lib}
|
||||
|
@ -462,9 +478,56 @@ export LD_LIBRARY_PATH
|
|||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Sun Apr 12 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> 1.1.1f-1.0.riscv64
|
||||
* Thu Jul 23 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> 1:1.1.1g-14.0.riscv64
|
||||
- Add --libdir=%{_lib} for riscv64 (uses linux-generic64)
|
||||
|
||||
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1:1.1.1g-14
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
|
||||
- Additional FIPS mode check for EC key generation
|
||||
|
||||
* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
|
||||
- Further changes for SP 800-56A rev3 requirements
|
||||
|
||||
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
|
||||
- Drop long ago obsolete part of the FIPS patch
|
||||
|
||||
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-10
|
||||
- Rewire FIPS_drbg API to use the RAND_DRBG
|
||||
|
||||
* Fri Jun 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
|
||||
- Disallow dropping Extended Master Secret extension
|
||||
on renegotiation
|
||||
- Return alert from s_server if ALPN protocol does not match
|
||||
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
|
||||
TLS SigAlgs configuration
|
||||
|
||||
* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-8
|
||||
- Add FIPS selftest for PBKDF2 and KBKDF
|
||||
|
||||
* Tue May 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
|
||||
- Use the well known DH groups in TLS
|
||||
|
||||
* Mon May 25 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
|
||||
- Allow only well known DH groups in the FIPS mode
|
||||
|
||||
* Thu May 21 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-5
|
||||
- Re-apply the change from -2 now we have fixed nosync to work with it
|
||||
|
||||
* Tue May 19 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-4
|
||||
- Revert the change from -2 as it seems to cause segfaults in systemd
|
||||
|
||||
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-3
|
||||
- pull some fixes and improvements from RHEL-8
|
||||
|
||||
* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
|
||||
- FIPS module installed state definition is modified
|
||||
|
||||
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
|
||||
- update to the 1.1.1g release
|
||||
|
||||
* Tue Apr 7 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1f-1
|
||||
- update to the 1.1.1f release
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (openssl-1.1.1f-hobbled.tar.xz) = 551feb19c8606e86d03b05ef47294cc47048e1e2e33e0474b2e309984e034c72e04b120740e3b1aeca275fa4c52138830a724d09a861d51c133b6baa754e23d2
|
||||
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971
|
||||
|
|
|
@ -10,8 +10,9 @@
|
|||
tests:
|
||||
- python_selftest:
|
||||
dir: python/selftest
|
||||
run: VERSION=3.7 X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
|
||||
run: X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
|
||||
required_packages:
|
||||
- gcc # for extension building in venv and selftest
|
||||
- python3-tkinter # for selftest
|
||||
- python3-test # for selftest
|
||||
- python3-test # for selftest
|
||||
- python3-rpm-macros # for dynamic python version
|
||||
|
|
Loading…
Reference in New Issue